Analysis
-
max time kernel
297s -
max time network
296s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2025, 08:28
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win10v2004-20250314-en
General
-
Target
Quotation.exe
-
Size
1.3MB
-
MD5
e977a5a34debb3c0d149c501a79e1c26
-
SHA1
a56bf47f641e37dc4c5cd071d8ffe93400161b75
-
SHA256
ac0c3e2880e025ddba8da36cd191b666b9dc88b120a74c3357386ad5e766f747
-
SHA512
570352094bd0bf801da20bb9e37034556a64d81ad2dcb20db5ee79c9bd7799833e580f55fff2afa5258f606e349f7c4713071e5846d5b1d857a7d74c622f1139
-
SSDEEP
24576:Fu6J33O0c+JY5UZ+XC0kGso6FasxjKI1T1GpUQ7M3UF4KvcKlWY:Hu0c++OCvkGs9Fasx/1Tkpn7ME9viY
Malware Config
Extracted
remcos
RemoteHost
196.251.86.41:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-83VOGC
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unspattered.vbs unspattered.exe -
Executes dropped EXE 1 IoCs
pid Process 4836 unspattered.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0014000000023fa0-9.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4836 set thread context of 6060 4836 unspattered.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unspattered.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Quotation.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4836 unspattered.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 5436 Quotation.exe 5436 Quotation.exe 4836 unspattered.exe 4836 unspattered.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 5436 Quotation.exe 5436 Quotation.exe 4836 unspattered.exe 4836 unspattered.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 5436 wrote to memory of 4836 5436 Quotation.exe 89 PID 5436 wrote to memory of 4836 5436 Quotation.exe 89 PID 5436 wrote to memory of 4836 5436 Quotation.exe 89 PID 4836 wrote to memory of 6060 4836 unspattered.exe 94 PID 4836 wrote to memory of 6060 4836 unspattered.exe 94 PID 4836 wrote to memory of 6060 4836 unspattered.exe 94 PID 4836 wrote to memory of 6060 4836 unspattered.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5436 -
C:\Users\Admin\AppData\Local\alarmingness\unspattered.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"3⤵
- System Location Discovery: System Language Discovery
PID:6060
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5e977a5a34debb3c0d149c501a79e1c26
SHA1a56bf47f641e37dc4c5cd071d8ffe93400161b75
SHA256ac0c3e2880e025ddba8da36cd191b666b9dc88b120a74c3357386ad5e766f747
SHA512570352094bd0bf801da20bb9e37034556a64d81ad2dcb20db5ee79c9bd7799833e580f55fff2afa5258f606e349f7c4713071e5846d5b1d857a7d74c622f1139